Explain the use of tcpdump commands.

• DEVICE is the sniffer or capture NIC's device name use the ifconfig command to see list of NIC device names.
• dumpfile is the name of the file the dump is written to.
• filterString is the IP/port expression you wish to capture.

tcpdump -ni bge0 |more

tcpdump -ni bge1 |more

Look for specific traffic:

tcpdump -ni bge0 host <IP address> and port <IP port number> |more

where

• <IP address> and <IP port number> might be 10.10.10.2 and 80 for example.

Manual method of using tcpdump to capture HTTP(S) traffic to dump file:

tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port \(80 or 443\)

tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port '('80 or 443')'

tcpdump -ni bge0 -s0 -w dumpfile net xxx.xxx.xxx.0/24 and port 80

Using existing tcpdump file to extract specific traffic to another dump file:

tcpdump -nr dumpfile -s0 -w newfile host ipAddr and port #nmbr

If tcpdump is unable to filter any traffic where running tcpdump does show traffic unfiltered then the problem is due to an additional Ethernet header being added typically a VLAN header 802.1Q VLAN. Use the tcpdump -e option to see this extra header information which should appear as:

???? ... ethertype 802.1Q length 64: vlan 128 p 0 ethertype IPv4 IP 192.168.128.42.8001 > 192.168.128.90.20700:

Trying to filter using tcpdump fails.? An example is to filter on a known port number such as tcpdump -ni eth2 port 8001.?
If tcpdump is unable to provide a filtered output then the capture system is not able to do so either.? If it is VLAN type traffic use the vlan expression operator as part of the filter expression:

tcpdump -ni eth2 vlan and port 8001

Other examples of filtering with VLAN packets:

tcpdump -nr tst.dmp 'ether[12:2] = 0x8100'
tcpdump -nr tst.dmp vlan and ip and port 8001

Show both types of traffic:

tcpdump -nr tst.dmp ip or vlan